Use the ipv6_compare function to compare two IPv6 addresses and determine their relative order. This function helps you evaluate whether one address is less than, equal to, or greater than another. It returns -1, 0, or 1 accordingly.

You can use ipv6_compare in scenarios where IPv6 addresses are relevant, such as sorting traffic logs, grouping metrics by address ranges, or identifying duplicate or misordered entries. It’s especially useful in network observability and security use cases where working with IPv6 is common.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

Splunk SPL doesn’t have a built-in function for directly comparing IPv6 addresses. Users often work around this limitation by converting the addresses into a comparable numeric format using external scripts or custom commands.

```sql Splunk example | eval ip1 = "2001:db8::1", ip2 = "2001:db8::2" | eval comparison = if(ip1 == ip2, 0, if(ip1 < ip2, -1, 1)) ```` 
print comparison = ipv6_compare('2001:db8::1', '2001:db8::2')

ANSI SQL doesn’t natively support IPv6 comparisons. Typically, users must store IPv6 addresses as strings or binary values and write custom logic to compare them.

```sql SQL example SELECT CASE WHEN ip1 = ip2 THEN 0 WHEN ip1 < ip2 THEN -1 ELSE 1 END AS comparison FROM my_table ``` 
print comparison = ipv6_compare('2001:db8::1', '2001:db8::2')

Usage

Syntax

ipv6_compare(ipv6_1, ipv6_2)

Parameters

Name Type Description
ipv6_1 string The first IPv6 address to compare.
ipv6_2 string The second IPv6 address to compare.

Returns

An integer that represents the result of the comparison:

  • -1 if ipv6_1 is less than ipv6_2
  • 0 if ipv6_1 is equal to ipv6_2
  • 1 if ipv6_1 is greater than ipv6_2

Example

Use ipv6_compare to identify whether requests from certain IPv6 addresses fall into specific ranges or appear out of expected order.

Query

['sample-http-logs']
| extend comparison = ipv6_compare('2001:db8::1', '2001:db8::abcd')
| project _time, uri, method, status, comparison

Run in Playground

Output

_time uri method status comparison
2025-06-29T22:10:00Z /products/1 GET 200 -1

This example compares two static IPv6 addresses and attaches the result to each row for further filtering or grouping.

  • ipv6_is_match: Checks if an IPv6 address matches a given subnet. Use it for range filtering instead of sorting or comparison.
  • ipv4_is_private: Determines whether an IPv4 address is in a private range. Use this to filter non-public traffic.
  • ipv4_compare: Works the same way as ipv6_compare but for IPv4 addresses. Use it when your data contains IPv4 instead of IPv6.

Good evening

I'm here to help you with the docs.

I
AIBased on your context